Filter
Top Products
CCA Release 2.54
Understanding Profiles
Any user who needs to be authenticated to the Coprocessor must have a user
profile. Users who only need the capabilities defined in the default role do not need
a profile.
A user profile defines a specific user to the CCA implementation. Each profile
contains the following information:
User ID This is the “name” used to identify the user to the Coprocessor. The User
ID is an eight-byte value, with no restrictions on its content. Although it will
typically be an unterminated ASCII (or EBCDIC on OS/400) character string,
any 64-bit string is acceptable.
2
Comment A 20-byte comment can be incorporated into the profile for future
reference.
Logon Failure Count This field contains a count of the number of consecutive
times the user has failed a logon attempt, due to incorrect authentication data.
The count is reset each time the user has a successful logon. The user is no
longer allowed to log on after three consecutive failures. This lockout
condition can be reset by an administrator whose role has sufficient authority.
Role ID This character string identifies the role that contains the user's
authorization information. The authority defined in the role takes effect after
the user successfully logs on to the Coprocessor.
Activation and Expiration Dates These values define the first and last dates on
which this user is permitted to log on to the Coprocessor. An administrator
whose role has the necessary authority can reset these fields to extend the
user's access period.
Authentication Data Authentication data is the information used to verify the
identity of the user. It is a self-defining structure, which can accommodate
many different authentication mechanisms. In the current CCA
implementation, user identification is accomplished by means of a passphrase
supplied to the Logon_Control verb.
The profile's authentication-data field can hold data for more than one
authentication mechanism. If more than one is present in a user's profile, any
of the mechanisms can be used to log on. Different mechanisms, however,
may have different strengths.
The structure of the authentication data is described in “Authentication Data
Structure” on page B-33.
In addition, the profile contains other control and error-checking fields. The detailed
layout of the profile data-structure can be found in “Profile Structure” on page B-32.
Profile(s) are stored in non-volatile memory inside the secure module on the
Coprocessor. When a user logs on, his stored profile is used to authenticate the
information presented to the Coprocessor. In most applications, the majority of the
users will operate under the default role, and will not have user profiles. Only the
security officers and other special users will need profiles.
2
In many cases, a utility program will be used to enter the user ID. That utility may restrict the ID to a specific character set.
2-4 IBM 4758 CCA Basic Services, Release 2.54, February 2005